Wireguard

init.d script
This init.d script creates a linux namespace (vpn) and builds a point to point interface between global namespace to (vpn) namespace for monitoring/polling.
This script then can fire up a specific process to be isolated to the namespace for security purposes.
#!/bin/sh
NETNS_NAME="vpn"
DEV_NAME="wg2"
case "$1" in
        up)
                NETNS_FILE=/var/run/netns/$NETNS_NAME
                # Create a new network namespace.
                if [ ! -f "$NETNS_FILE" ]; then
                        ip netns add $NETNS_NAME
                fi
                # Bring up NETNS Loopback interface
                ip -n $NETNS_NAME link set dev lo up

                # Add MAIN virtual interface to talk to NETNS
                ip link add veth0 type veth peer name veth1

                # Add IP to veth0
                ip addr add 10.1.1.1/30 dev veth0

                sleep 1

                # Bring MAIN veth0 up
                ip link set veth0 up

                # Move veth1 in NETNS
                ip link set veth1 netns $NETNS_NAME

                sleep 1

                # Add IP to veth1 in NETNS
                ip -n $NETNS_NAME addr add 10.1.1.2/30 dev veth1

                # Bring veth1 up in NETNS
                ip -n $NETNS_NAME link set veth1 up
                sleep 1

                # Add NETNS route(s) back to MAIN
                ip -n $NETNS_NAME route add 192.168.0.0/24 via 10.1.1.1 dev veth1

                # Create a Wireguard network interface in the default namespace.
                ip link add $DEV_NAME type wireguard
                sleep 1
                # Move the Wireguard interface to the network namespace.
                ip link set $DEV_NAME netns $NETNS_NAME
                sleep 1

                # Load the Wireguard configuration.
                ip netns exec $NETNS_NAME wg setconf $DEV_NAME /etc/wireguard/$DEV_NAME.conf

                # Bring up the Wireguard interface.
                ip -n $NETNS_NAME link set $DEV_NAME up
                echo "ip -n $NETNS_NAME link set $DEV_NAME up"
                sleep 1

                # Set the IP address of the Wireguard interface from wirguard file
                ADDR=`grep Address /etc/wireguard/$DEV_NAME.conf | awk -F " = " '{print $2}'`
                #ip netns exec vpn $NETNS_NAME addr add 192.168.6.3/32 dev $DEV_NAME
                ip -n $NETNS_NAME addr add "$ADDR" dev $DEV_NAME
                echo "ip -n $NETNS_NAME addr add $ADDR dev $DEV_NAME"

                # Make the Wireguard interface the default route.
                ip -n $NETNS_NAME route add default dev $DEV_NAME

                # Set DNS servers
                DNS=`grep DNS /etc/wireguard/$DEV_NAME.conf | awk -F " = " '{print $2}'`
                echo "nameserver $DNS" > /etc/netns/vpn/resolv.conf

                # Restart DELUGED
                #service deluged restart
                ;;
        down)
                FOUND=$(grep $DEV_NAME /proc/net/dev)
                # Down NETNS wireguard interface
                if [ -n "$FOUND" ]; then
                        ip -n $NETNS_NAME link delete dev $DEV_NAME
                        echo "ip -n $NETNS_NAME link delete dev $DEV_NAME"
                fi
                # Down NETNS veth1 and delete
                #ip netns exec vpn ip link set veth1 down
                ip -n $NETNS_NAME link delete veth1
                echo "ip -n $NETNS_NAME link delete veth1"

                # Down MAIN veth0 and delete
                #ip link set veth0 down
                #ip link delete veth0

                # Delete NETNS vpn
                ip netns delete $NETNS_NAME
                echo "ip netns delete $NETNS_NAME"
                ;;
*)
        echo "Usage: $0 {up|down}"
esac
exit 0
Wireguard

Navigation menu

Search
